- Resume Clinic
- Job Fair
- CXO Track
- For You
- Hackers Horror Stories
- Bug Bounty Programs & What They Mean for Hunters and Companies
Bug Bounty Programs & What They Mean for Hunters and Companies
Bug bounty hunters, or the morally sophisticated hackers, are those who look for vulnerabilities in software systems only to report them responsibly to the concerned organizations. Bug bounty hunters help companies find about the vulnerabilities in their applications before hackers can exploit them.
By that means, bug bounty programs are a win-win between companies and white hat hackers. Bug bounty hacking has gone from a past-time activity to an emerging occupation. Businesses are getting more and more serious about the security of their software services and are actively encouraging bug bounty hunters to check and test their offerings.
The Good and the Bad of Bug Bounty Hunting
Beyond being a shiny occupation, bug bounty hunting takes real sweat and toil. Experienced bug bounty hunter Nikhil Mittal says the stream has a lot of scope, but the wages fluctuate a lot. At one time, you could be lucky to earn a lot, while still trying to make ends meet at a different time. He reveals that duplicate bugs are a major source of disappointment and hog important hours for bounty hunters.
However, he had some pretty huge wins in his basket. Nikhil says besides the amount of money he has earned following his passion, he was once offered a full-time job in a reputed company for whom he reported a few bugs. He says he was taken aback by their gesture!
Companies in India and abroad that allow users to perform financial transactions are rapidly installing bug bounty programs. Given the number of data breaches that took place in 2018 alone, we are not shocked to see companies getting real with their security practices.
Coming Trends in Bug Bounty Hunting
Famed bug bounty hunter Sandeep Singh aka Geekboy talks about the trends he sees coming for companies and bug bounty programs. Sandeep believes bug bounty industry is going to be more noisy and visible in the years to come, as an increasing number of hackers are joining the community and an ever increasing number of companies are getting serious about security.
There is a huge demand for ethical hackers as businesses roll out bug bounty programs with vast sums of rewards. However, there still seems to be a gap in the skills of security professionals and the demands of this occupation.
Sandeep says bug bounty hunters need to continually stay on top of trends and technologies, so they can be the first ones to discover vulnerabilities in cutting-edge solutions based on IoT, smart contracts, hardware, etc. There is an urgent need for expert security professionals to up their game and stay ahead of hackers with malicious intentions.
Upskilling of security enthusiasts is also a win-win for them and companies looking for them.
Companies with Successful Bug Bounty Programs in India
Three years back when Ola was hacked, compromising the data of millions of users, they created India’s first full-fledged bug bounty program to encourage independent security researchers to help them create a safe platform.
The company now offers up to 3,00,000 INR for security loopholes such as injections, server-side issues, client-side issues, and other valid security vulnerabilities. Apart from that, Ola promises goodies to hackers to help find significant security flaws. What’s more, Ola even honors security researchers who collaborate with them to resolve bugs on their Hall of Fame page.
Ola has seen success with its program. Security research bloggers from Fallible say Ola awarded them with $1000 in bounty and some electronic goodies for reporting vulnerabilities in one of their apps. The researchers also claim Ola took around 2 months to fix their reported bug.
McDonalds India (West and South) runs a bug bounty program in India for its web and mobile apps for McDelivery. In 2017, researchers from Fallible discovered a huge vulnerability in their app. They found it was possible for hackers to dump the data of 2.2 million users by exploiting a flaw.
After reporting the vulnerability to McDonalds India, the Fallible researchers published a blog saying the leaked information could potentially contain users’ names, phone numbers, email addresses, social proofs, and residential addresses. However, the security researchers’ continuous emails to McDonalds India went unnoticed.
Due to the lack of stringent security policies in India, some companies take data security for granted.
Paytm is another company running a bug bounty program in India. Avinash Jain, an independent security researcher found a vulnerability in Paytm’s electricity bill payment service. Through a series of steps, he could dump the data of users, including their name, address, electricity bill amount, and date of birth. Avinash reported this vulnerability to Paytm in Nov 2017. Paytm fixed the bug in Jan 2018 and rewarded Avinash for his efforts the same day.
Later in June the same year, the bug got reopened somehow and Avinash reported and got rewarded again.
If companies are to encourage bug bounty hunters to find and responsibly report flaws in their systems, they need to be serious about their app’s security. There is nothing more off-putting for a bug bounty hunter to discover and report a flaw to a business only for them to ignore it.
As companies need more and more skilled security professionals searching for bugs in their platform, it is in their favor to network with security professionals.
Sandeep reveals bug bounty hunting allows you to be your own boss, and work with freedom and flexibility.
From 2016, nullcon has started a BountyCraft Track. It is a platform where the Bug Bounty Program offering companies (Microsoft, Apple, Google) & crowdsourced security platforms (Bugcrowd, Hackerone, NCC Group, Crowdfense) interact directly with Bug Bounty Hunters. They give insights on top bugs of the year, hacking methodologies, private bug bounties, etc.
Checkout BountyCraft Track speakers for nullcon Goa 2019, here.
- Written by Divya Agrawal & Edited by Pratik Ghumade for nullcon